By Ilya Dreytser
You may not want to send that second factor SMS code to your phone.
The new ILTA Spring 2016 Peer to Peer magazine is out! View the HTML5 Flipbook or download the PDF here. Don’t miss Ilya’s article on page 42.
With today’s increasingly mobile-enabled workforce, receiving secondfactor
authentication tokens by SMS (text message) or by mobile app is
becoming completely ineffective. Is it time to bring back physical secondfactor
authentication tokens? Or is it time to move on to a biometric option?
Consider the three most popular methods of second-factor authentication delivery.
A code can be:
1. Sent by SMS
2. Appear on a mobile app
3. Appear on a physical token
Second-factor authentication solutions based on mobile apps
and SMS work well and are much cheaper and easier to manage than
physical tokens. However, as email and access to firm resources
become available from a phone or tablet, sending the second-factor
authentication code to the same mobile device it is intended to protect
no longer provides any additional protection at all. Physical tokens are
becoming relevant again, but they are more expensive to deploy and
manage, and they can easily be lost or even stolen. That’s why it’s time
to consider biometric solutions.
The fingerprint and password/PIN combo covers three
authentication methods:
1. Something you know (your password or PIN)
2. Something you have (your mobile device or a physical token)
3. Something you are (your biometrics)
Fingerprints are also much faster to input than long, complex
passwords, so you could ask users to enter a fingerprint every time they
access firm data with little objection.
No authentication methods are completely secure. The physical token can
be compromised, as we saw with RSA in 2011. Mobile device PINs can be shared,
guessed or hacked. Fingerprint readers or the OS software can have exploitable security
flaws as well. However, these risks pale compared to sending a second-factor authentication code via SMS or mobile app to the very device that has been compromised or stolen. P2P